Beautiful Trade/Broken Incentives

From WikiContent

A common economic issue in information security involves broken incentives. Incentives are
a critical factor in any system dealing with multiple parties, particularly where that system
depends on people with free choice doing the “right thing.” If the proper incentives are not in
place, breakdowns typically occur. To adjust for these external pressures that lead to
breakdowns (market failures), financial systems adopt two methods:

Regulation

Governments or industry consortia put rules in place to address market failures such as
monopolies, pollution, lack of alignment with the “greater good,” or in this case a lack of
information security. Forms of regulation in this area include the Health Insurance
Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Financial Services
Modernization Act (GLBA), the Sarbanes-Oxley Act (SOX), etc.

Liability

This legal framework enforces damages (often financial) on those judged liable for
damages of commission or omission. In the case of information security, a person or
company may be found liable if they do not take reasonable precautions to protect
information.

Let’s look now at why the credit card “security market” experiences market failures. Following
our financial model, we must examine the current incentives of the primary participants in
this market: consumer, merchant, service provider, acquiring bank, issuing bank, and card
associations.

Consumer

It’s often assumed that consumers guard their credit card information with care because they
have the most to lose when it’s abused, but because of existing regulation to control some of
these externalities, this is not actually the case. In the United States, a consumer is liable only
for the first $50 of any fraud committed against his account. Typically, the issuing bank will
also waive the $50 requirement in order to keep its customer base happy.

Therefore, while most consumers express a desire to protect their account numbers, security
codes, and expiration dates, in the heat of a purchase there is actually very little incentive for
the consumer to hold back the information. The incentives that do exist are not financial as
much as saving the time and hassle associated with a compromised card.

As a point of comparison, there is a greater consumer incentive to protect a debit card, because
the consumer is not protected by the same regulations as with credit cards. Also, debit cards
are often tied directly to consumer checking and savings accounts, causing an immediate
financial hit to the consumer upon a debit card security compromise.

Merchant and service provider

In the existing model, the merchant actually has quite a bit to lose in case of a breach. A
compromise of cardholder data can lead to consequences related to both regulations and
liability. The merchants are regulated by the card associations via the Payment Card Industry,
which imposes a security standard that merchants must adhere to when handling data, along
with the systems and networks that contains and transmit it. A merchant found in breach of
this standard suffers both financial and operational penalties, enforced by the card associations.
Financial penalties are often assessed against the acquiring bank, which in turn passes those
fines on to the merchant. Merchants can also be found liable and sued by the issuing banks,
indemnifying the banks for any costs associated with a breach, including the cost of reissuing
cards.

Merchants also bear the financial responsibility of accepting fraudulent cards used to make
purchases within their environment (except when using 3-D Secure). A merchant must put a
number of fraud-detection systems in place in order to ensure that the card being used is valid
and is wielded by the assigned cardholder. If a merchant ends up accepting a fraudulent card,
the issuing bank issues a chargeback, refunding the consumer’s account. If the merchant has
already processed the transaction and provided the product or service, it has to absorb the loss
associated with that transaction.

Although the merchants have a lot of incentive to protect this information, they do not control
enough of the purchase process to do so effectively. As noted earlier, this data must pass
through multiple systems, including systems outside the merchant’s direct control. We also
saw that many merchants hold on to some of this data long after the transaction, adding further
risk.

Service providers are also regulated by the PCI Data Security Standard (DSS). According to the
PCI Security Council, the definition of a service provider is a:

...business entity that is not a payment card brand member or a merchant directly involved in
the processing, storage, transmission, and switching of transaction data and cardholder
information or both. This also includes companies that provide services to merchants, services
providers or members that control or could impact the security of cardholder data. Examples
include managed service providers that provide managed firewalls, IDS and other services as
well as hosting providers and other entities. Entities such as telecommunications companies that
only provide communication links without access to the application layer of the communication
link are excluded.

Many of the same rules that apply to merchants also apply to service providers, who have
similar penalties and liabilities. Their incentives are not quite the same, however, as they do
not have direct interaction with the consumer. That said, brand damage could still be a large
factor within the business-to-business space.

Acquiring and issuing banks

The acquiring (merchant) bank and issuing banks are heavily regulated entities whose
requirements for information protection go well beyond the Payment Card Industry. The
issuing bank has an added incentive of representing the consumer in this transaction. This
usually means it not only looks to protect this data, but often serves as an advocate to its
customer. The merchant bank, while regulated by many of the financial laws and exchanges,
usually serves as a middleman or pass-through and is therefore implicated in the penalties
associated with merchants and service providers. When a merchant or one of its service
providers is believed to have been breached, the acquiring bank will pass on any fines assessed
by the card associations to these groups, since they directly manage the relationship with the
merchant.

Card association

The card association’s primary incentive to prevent fraud is brand protection. Simply stated,
excessive breaches of a given brand could taint the image and lower the use of its network.
The financial consequences of a breach to the card associations are not necessarily tangible.
The card associations mainly want consumers to feel safe when shopping with their card. The
PCI DSS was formed by several card brands that combined their security programs in an
attempt to self-regulate and protect their brand.

He who controls the spice

Overall, each player within a transaction carries some incentive to protect this data (ironically,
the consumer has the least). But significantly, the incentives do not directly align with who
has control. That is, no single player can completely control the protection of the data, nor do the parties have incentives commensurate with their control over the protection of the shared
secret as it travels through the various environments.
The current system simply has too many parties that require knowledge of this shared secret
with inadequate incentives to expect the information to remain confidential throughout its
life. Multiply the generic diagram of a single transaction in Figure 5-1 by the number of
transactions throughout the life of a card, and you’ll see that thousands of data handlers are
often handed care of a single shared secret.